DeepWAF: Detecting Web Attacks Based on CNN and LSTM Models

The increasing popularity of web applications makes the web a main venue for attackers engaging in a myriad of cybercrimes. With large quantities of information processing and sharing by web applications, the situation for web attack detection or prevention becomes increasingly severe. We present a prototype implementation called DeepWAF to detect web attacks based on deep learning techniques. We systematically discuss the approach for effective use of the currently popular CNN and LSTM models, and their combinational models CNN-LSTM and LSTM-CNN. The experimental results on the dataset of HTTP DATASET CSIC 2010 demonstrate that our proposed four types of detection models all achieve satisfactory results, with the detection rate of approximately 95% and the false alarm rate of approximately 2%. We also carried out case studies to analyze the causes of false negatives and false positives, which can be used for further improvements. Our work further illustrates that machine learning has a promising application prospect in the field of web attack detection.

[1]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[2]  Roberto Tronci,et al.  SuStorID: A multiple classifier system for the protection of web services , 2012, Proceedings of the 21st International Conference on Pattern Recognition (ICPR2012).

[3]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[4]  Konstantin Berlin,et al.  eXpose: A Character-Level Convolutional Neural Network with Embeddings For Detecting Malicious URLs, File Paths and Registry Keys , 2017, ArXiv.

[5]  Michal Choras,et al.  Machine learning techniques applied to detect cyber attacks on web applications , 2015, Log. J. IGPL.

[6]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[7]  Brij Bhooshan Gupta,et al.  Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art , 2017, Int. J. Syst. Assur. Eng. Manag..

[8]  Alessandro Orso,et al.  Preventing SQL injection attacks using AMNESIA , 2006, ICSE.

[9]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[10]  Jamshid Bagherzadeh,et al.  A sound framework for dynamic prevention of Local File Inclusion , 2015, 2015 7th Conference on Information and Knowledge Technology (IKT).

[11]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[12]  Christopher Krügel,et al.  A multi-model approach to the detection of web-based attacks , 2005, Comput. Networks.

[13]  Angelos Stavrou,et al.  SQLProb: a proxy-based architecture towards preventing SQL injection attacks , 2009, SAC '09.

[14]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[15]  Ming Zhang,et al.  A Deep Learning Method to Detect Web Attacks Using a Specially Designed CNN , 2017, ICONIP.

[16]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[17]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[18]  Robert Bronte,et al.  Information Theoretic Anomaly Detection Framework for Web Application , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[19]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[20]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[21]  Sabrina De Capitani di Vimercati,et al.  Guest Editorial: Special Issue on Computer and Communications Security , 2008, TSEC.

[22]  Engin Kirda,et al.  Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications , 2011, NDSS.

[23]  Kim-Kwang Raymond Choo,et al.  Web application protection techniques: A taxonomy , 2016, J. Netw. Comput. Appl..

[24]  Giorgio Giacinto,et al.  Detection of Server-side Web Attacks , 2010, WAPA.

[25]  Giorgio Giacinto,et al.  HMM-Web: A Framework for the Detection of Attacks Against Web Applications , 2009, 2009 IEEE International Conference on Communications.

[26]  Debabrata Kar,et al.  SQLiGoT: Detecting SQL injection attacks using graph of tokens and SVM , 2016, Comput. Secur..

[27]  Suh-Yin Lee,et al.  DSM-PLW: Single-pass mining of path traversal patterns over streaming Web click-sequences , 2006, Comput. Networks.

[28]  Ei Ei Han Detection of Web Application Attacks with Request Length Module and Regex Pattern Analysis , 2015, ICGEC.

[29]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[30]  Timo Hämäläinen,et al.  Analysis of HTTP Requests for Anomaly Detection of Web Attacks , 2014, 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing.